How To Harden Ancient Mac Xp On Mac Moonlight 2.5.2 (Mac) On A Macbook V.Xo (Apple) With A Hardening Mode On A Windows Xp 2.4.2.2 On A



Similar documents
Mac OS X Security Checklist:

Take Your Mac OS X Security to NSA Standards June 19, 2014 by Larry Chafin

The safer, easier way to help you pass any IT exams. Exam : 9L OS X Server Essentials 10.8 Exam. Title : Version : Demo 1 / 6

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

Administering FileVault 2 on OS X Mavericks with the Casper Suite v9.2 or Later. Technical Paper October 2013

QUANTIFY INSTALLATION GUIDE

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Apple Security Checklist Companion A practical guide for automating security standards in the Apple Enterprise with the Casper Suite

Remote Administration

Initial Setup. How To Run A Mac Server:

Creating Home Directories for Windows and Macintosh Computers

ReadyNAS Remote. User Manual. June East Plumeria Drive San Jose, CA USA

Optional Mainserver Setup Instructions for OS X Support

How To Package In Composer (Amd64)

End User Devices Security Guidance: Apple OS X 10.10

Mac Integration Basics Adding a Mac to a Network That Uses Windows or Other Standards

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

CIS Apple OSX 10.8 Benchmark. v

Deep Freeze Mac User Guide


Other documents in this series are available at: servernotes.wazmac.com

10 steps to better secure your Mac laptop from physical data theft

Portal Instructions for Mac

READYNAS INSTANT STORAGE. Quick Installation Guide

Adobe Reader Settings

Guidance End User Devices Security Guidance: Apple OS X 10.9

Using Mac OS X 10.7 Filevault with Centrify DirectControl

IIS, FTP Server and Windows

You can find the installer for the +Cloud Application on your SanDisk flash drive.

Using Internet or Windows Explorer to Upload Your Site

How To Use 1Bay 1Bay From Awn.Net On A Pc Or Mac Or Ipad (For Pc Or Ipa) With A Network Box (For Mac) With An Ipad Or Ipod (For Ipad) With The

Binding an OS X computer to Active Directory at NEIU (Existing User)

Enterprise Manager. Version 6.2. Installation Guide

QuickStart Guide for Client Management. Version 8.7

Apple Mac VPN Service Setting up Remote Desktop

Installing, Uninstalling, and Upgrading Service Monitor

How to configure Mac OS X Server

Technology Services Group Procedures. IH Anywhere guide. 0 P a g e

Citrix Desktop for Home Computers Apple ios Instructions

Apple Server Diagnostics User Guide. For Version 3X106

To install the "Microsoft Remote Desktop Client" on OS X "Tiger" or above:

Configure thin client settings locally

Shortcuts and Tips for Leopard/Windows XP on the Intel Mac

Hardware Information Managing your server, adapters, and devices ESCALA POWER5 REFERENCE 86 A1 00EW 00

Wazza s QuickStart 10. Leopard Server - Managing Preferences

Seagate NAS OS 4 Reviewers Guide: NAS / NAS Pro / Business Storage Rackmounts

Security for Mac Computers in the Enterprise

How To Install A Cisco Vpn Client V4.9.9 On A Mac Or Ipad (For A University)

WINDOWS 7 & HOMEGROUP

Mac OS X Secure Wireless Setup Guide

CONNECT-TO-CHOP USER GUIDE

Working With Your FTP Site

DSI File Server Client Documentation

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Apple. Number: 9L0-407 Passing Score: 800 Time Limit: 120 min File Version:

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Device Log Export ENGLISH

NAS 323 Using Your NAS as a VPN Server

1. CONFIGURING REMOTE ACCESS TO SQL SERVER EXPRESS

Back to My Mac User s Guide

AVG Business SSO Partner Getting Started Guide

Installing and Configuring vcenter Support Assistant

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Virtual Office Remote Installation Guide

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

DeployStudio Server Quick Install

ReadyNAS Setup Manual

Protected Trust Directory Sync Guide

ReadyNAS Duo Setup Manual

PowerLink for Blackboard Vista and Campus Edition Install Guide

Quick Start Guide: NotifyLink for Symbian Series 60, 3 rd Edition

Global Image Management System For epad-vision. User Manual Version 1.10

Mac OS VPN Set Up Guide

Junos Pulse for Google Android

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

You're reading an excerpt. Click here to read official APPLE REMOTE DESKTOP 1.2 user guide

Training module 2 Installing VMware View

Windows Operating Systems. Basic Security

Advanced Administration

Gigabyte Content Management System Console User s Guide. Version: 0.1

- 1 - SmartStor Cloud Web Admin Manual

Senomix Timesheets for Mac OS X

Setup and Configuration Setup Assistant Migration Assistant System Preferences Configuration Profiles System Information

Manage Your Mac with Active Directory Group Policies

Contents Notice to Users

CYAN SECURE WEB APPLIANCE. User interface manual

NetSpective Logon Agent Guide for NetAuditor

Immotec Systems, Inc. SQL Server 2005 Installation Document

Understanding Task Scheduler FIGURE Task Scheduler. The error reporting screen.

Dragonframe License Manager User Guide Version 1.2.2

How To Sync Google Drive On A Mac Computer With A Gmail Account On A Gcd (For A Student) On A Pc Or Mac Or Mac (For An Older Person) On An Ipad Or Ipad (For Older People) On

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

Adept Backup Solution - Storegrid Apple Mac OS X Client Setup. Supported Apple Mac OS X Operating Systems

Addonics T E C H N O L O G I E S. NAS Adapter. Model: NASU Key Features

Sophos Enterprise Console Help

OS X 10.6 SNOW LEOPARD: KEYCHAIN ACCESS MANAGING & UNDERSTANDING KEYCHAIN

Transcription:

OS X Hardening Mountain Lion 10.8 Version: 1.00 Date: 8/2/2013 Classification: Author(s): Public Florian Grunow, Matthias Luft, Michael Thumann, Michael Schaefer

TABLE OF CONTENT 1 INTRODUCTION... 4 2 AUTHENTICATION... 5 2.1 DISABLE AUTO-LOGIN... 5 2.2 ENABLE SINGLE USER MODE AUTHENTICATION... 5 2.3 REQUIRE USERNAME AND PASSWORD FOR LOGIN... 5 2.4 DISABLE PASSWORD HINTS... 5 2.5 SET SCREENSAVER INACTIVITY INTERVAL... 5 2.6 REQUIRE PASSWORD TO UNLOCK SCREENSAVER... 5 2.7 RESTRICT SUDO CONFIGURATION... 6 2.8 DISABLE UNAUTHORIZED ADMINISTRATIVE ACCESS FOR SESSIONS LOCKED THROUGH SCREENSAVER... 6 3 SYSTEM SECURITY... 7 3.1 AUTOMATIVALLY LOCK LOGIN KEYCHAIN... 7 3.2 CHANGE INITIAL PASSWORD FOR LOGIN KEYCHAIN... 7 3.3 ENABLE AUTOMATIC UPDATES... 7 3.4 DISABLE GUEST ACCESS... 7 3.5 ENABLE GATEKEEPER... 7 3.6 SET EFI PASSWORD... 8 3.7 DISABLE CORE DUMPS... 8 3.8 PREVENT SAFARI FROM OPENING KNOWN FILE TYPES... 8 3.9 SET STRICT GLOBAL UMASK... 8 3.10 SET STRICT HOME DIRECTORY PERMISSIONS... 8 3.11 ENABLE SECURE ERASE OF DELETED FILES IN TRASH... 8 3.12 IMPLEMENT HARD DISK ENCRYPTION... 9 4 NETWORK SECURITY... 10 4.1 DISABLE APPLE FILE PROTOCOL (AFP)... 10 4.2 DISABLE FILE TRANSFER PROTOCOL (FTP) DAEMON... 10 4.3 DISABLE FILE SHARING... 10 4.4 DISABLE PRINTER SHARING... 10 4.5 DISABLE ADDITIONAL AND UNNECESSARY SERVICES... 10 ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 2

4.6 SET HARDENED TCP/IP KERNEL PARAMETERS... 11 4.7 ENABLE NETWORK TIME SYNCHRONIZATION VIA NTP... 11 4.8 DISABLE BLUETOOTH... 11 4.9 DISABLE LOCATION SERVICES... 11 4.10 ENABLE FIREWALL... 11 4.11 DISABLE WAKE-ON-LAN... 12 4.12 LIMIT IPV6 TO LOCAL SUBNET/DISABLE IPV6... 12 5 LOGGING & MONITORING... 13 5.1 ENABLE BSM AUDIT... 13 6 APENDIX: LIST OF SERVICES... 14 ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 3

1 INTRODUCTION As no official hardening guide for Apple s OS X Mountain Lion is available yet, ERNW has compiled the most relevant settings into this checklist. While there is a significant amount of controls that can be applied, this document is supposed to provide a solid base of hardening measures. Settings which might have severe impact on the functionality of the operating system and need a lot of further testing are not part of this checklist. We have marked each recommended setting in this checklist either with mandatory or optional to make a clear statement, which setting is a MUST (mandatory) or a SHOULD (optional) from our point of view. also means that we recommend to apply this setting, but there may be required functionality on the system that will become unavailable once the setting is applied. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 4

2 AUTHENTICATION 2.1 Disable Auto-login Go to Security and Privacy settings in the System Preferences menu Check Disable automatic login 2.2 Enable Single User Mode Authentication Change secure to insecure in /etc/ttys If the root account is disabled, booting into single user mode is not possible. 2.3 Require Username and Password for Login Go to Users & Groups settings in the System Preferences menu. At Display login window as select Name and password. 2.4 Disable Password Hints Go to Users & Groups settings in the System Preferences menu. Choose Login options. Uncheck Show password hints. 2.5 Set Screensaver Inactivity Interval Set the inactivity interval to 5min. defaults -currenthost write com.apple.screensaver idletime -int 300 2.6 Require Password to Unlock Screensaver Go to Security & Privacy settings in the System Preferences menu. Choose tab General. Check Require password [ ] after sleep or screen saver begins. Set duration to immediately. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 5

2.7 Restrict sudo Configuration Open the sudo configuration file: sudo visudo Restrict sudo usage to one single command and to the authenticated terminal only: Defaults timestamp_timeout=0 Defaults tty_tickets 1 2.8 Disable Unauthorized Administrative Access for Sessions Locked Through Screensaver In /etc/authorization edit the section system.login.screensaver as follows: <key>system.login.screensaver</key> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>the owner can unlock the screensaver.</string> <key>rule</key> <string>authenticate-session-owner-or-group</string> Go to the rules section and add the following element: <key>authenticate-session-owner-or-group</key> <dict> <key>allow-root</key> <false/> <key>class</key> <string>user</string> <key>comment</key> <string>your comment</string> <key>group</key> <string>mac-admin-group</string> <key>session-owner</key> <true/> <key>shared</key> <false/> </dict> 1 In combination with the previous line, this option does not have any effect, yet we recommended it in case timestamp_timeout will be changed. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 6

3 SYSTEM SECURITY 3.1 Automatically Lock Login Keychain Open Keychain Acces and select the login keychain. Choose Edit Change Settings for KeychainI login. Set Lock after [ ] minutes of inactivity to 10. Check Lock when sleeping. 3.2 Change Initial Password for Login Keychain Open Keychain Acces and select the login keychain. Choose Edit Change Password for Keychain login. Set a new password different to the login password. 3.3 Enable Automatic Updates Go to App Store settings in the System Preferences menu. Check Automatically check for updates. Check Download newly available updates in the background. Check Install app updates. Check Install system data files and security updates. 2 3.4 Disable Guest Access Go to Users & Groups settings in the System Preferences menu. Choose the Guest User. Uncheck Allow guests to login into this computer. 3.5 Enable Gatekeeper Go to System Preferences Security & Privacy. Choose tab General. Set Allow applications downloaded from to Mac App Store and identified Developers. This will prevent unsigned application bundles from being executed. This does not cover applications/binaries that are not bundles. Unsigned application bundles from trusted sources can be executed by performing a right-click on the application bundle, choose Open, and confirm the warning dialog with Open. An exception for this bundle will be generated automatically. 2 This setting only enables automatic updates for the system and system software. Updates for 3rd party software must be installed manually/in another way. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 7

3.6 Set EFI Password Prevent unauthorized access to the EFI of the system by setting a firmware password. Use the Firmware Password Utility to set a firmware password. This will require the password to be entered when booting into Single User, Verbose or Target Disk mode as well as booting into the recovery mode (command-r). 3.7 Disable Core Dumps launchctl limit core 0 3.8 Prevent Safari from Opening Known File Types Launch the Safari browser application. Choose Preferences. Choose tab General. Uncheck Open safe files after downloading. 3.9 Set Strict Global umask sudo echo "umask 027" >> /etc/launchd.conf This might break the installation of additional software that relies on a less strict umask. 3.10 Set Strict Home Directory Permissions sudo chmod 700 /Users/<username> 3.11 Enable Secure Erase of Deleted Files in Trash Launch the Finder application. Choose Preferences. Click Advanced. Check Empty Trash securely. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 8

3.12 Implement Hard Disk Encryption Launch the System preferences application. Choose Security & Privacy. Click FileVault. Turn FileVault on. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 9

4 NETWORK SECURITY 4.1 Disable Apple File Protocol (AFP) Go to System Preferences Sharing. Select File Sharing. Click Options. Uncheck Share files and folders using AFP. Alternatively AFP can be disabled using the command line interface: sudo launctl unload -w /System/Library/LaunchDaemons/AppleFileServer.plist Disabled per default on OS X 10.8. 4.2 Disable File Transfer Protocol (FTP) daemon sudo launctl unload -w /System/Library/LaunchDaemons/ftp.plist Disabled per default on OS X 10.8. 4.3 Disable File Sharing Go to System Preferences Sharing. Uncheck File Sharing. 4.4 Disable Printer Sharing Go to System Preferences Sharing. Uncheck Printer Sharing. Disabled per default on OS X 10.8. 4.5 Disable Additional and Unnecessary Services Disable services which are not needed or required by other applications/services. sudo launchctl unload -w <FullPathToPlistFile> Servicefiles (Plistfiles) are located in o /System/Library/LaunchDaemons o /System/Library/LaunchAgents o /Library/LaunchDaemons o /Library/LaunchAgents o /Users/USERNAME/Library/LaunchDaemons o /Users/USERNAME/Library/LaunchAgents Before disabling a service it must be ensured that its functionality is not required by other software components or services. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 10

4.6 Set Hardened TCP/IP Kernel Parameters Set kernel parameters in /etc/sysctl.conf: o net.inet.ip.fw.verbose = 1 o net.inet.ip.fw.verbose_limit = 65535 o net.inet.icmp.icmplim = 1024 o net.inet.icmp.drop_redirect = 1 o net.inet.icmp.log_redirect = 1 o net.inet.ip.redirect = 0 o net.inet.ip.sourceroute = 0 o net.inet.ip.accept_sourceroute = 0 o net.inet.icmp.bmcastecho = 0 o net.inet.icmp.maskrepl = 0 o net.inet.tcp.delayed_ack = 0 o net.inet.ip.forwarding = 0 o net.inet.tcp.strict_rfc1948 = 1 The system must be restarted before these changes become active. 4.7 Enable Network Time Synchronization via NTP Edit /private/etc/hostconfig and change TIMESYNC to YES. Configure the desired NTP server in /private/etc/ntp.conf through a corresponding server entry. Restart the NTP daemon. sudo launchctl load -w /System/Library/LaunchDaemons/org.ntp.ntpd.plist 4.8 Disable Bluetooth Disbale Bluetooth in System Preferences Bluetooth. 4.9 Disable Location Services Go to System Preferences Security & Privacy. Choose tab Privacy. Uncheck Enable Location Services or uncheck applications which should NOT be able to access location services. 4.10 Enable Firewall Go to System Preferences Security & Privacy. Choose tab Firewall. Click Turn On Firewall. Click Firewall Options. Check Block all incoming connections. Check Automatically allow signed software to receive incoming connections only, if you re not familiar with firewall configurations and you want to make sure, that all functionality will be available. Check Enable stealth mode. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 11

4.11 Disable Wake-on-LAN Go to System Preferences Energy Saver Choose tab Options Uncheck Wake for network access. 4.12 Limit IPv6 to Local Subnet/Disable IPv6 3 Go to System Preferences Network. For all relevant interfaces click Advanced. For Configure IPv6 select Link-local only. This will ensure that IPv6 is only used in the local subnet. If you would like to disable IPv6 completely, enter the following commands: To list all network devices: networksetup listallnetworkservices. To disable IPv6 on a specific network device: networksetup -setv6off Wi-Fi 3 While IPv6 is not in use in many environments yet, we basically recommend to gather operational and security requirements for future deployments: http://blog.ipspace.net/2013/05/the-dangers-of-ignoring-ipv6.html ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 12

5 LOGGING & MONITORING 5.1 Enable BSM Audit Edit /etc/security/audit_control and include the following lines: dir:/var/audit flags:all minfree:5 naflags:lo,aa,pc,nt policy:cnt,argv filesz:1g expire-after:5g superuser-set-sflags-mask:has_authenticated,has_console_access superuser-clear-sflags-mask:has_authenticated,has_console_access member-set-sflags-mask: member-clear-sflags-mask:has_authenticated Start a new audit trail using the adjusted configuration: sudo audit -n As only new processes will be audited, the system must be restarted. ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 13

6 APENDIX: LIST OF SERVICES The following table lists service files and the corresponding functionality that should be disabled/must not be enabled unless required. Filename com.apple.applefileserver.plist ftp.plist smbd.plist org.apache.httpd.plist eppc.plist com.apple.xgridagentd.plist com.apple.xgridcontrollerd.plist com.apple.internetsharing.plist com.apple.dashboard.advisory.fetch.plist com.apple.usernotificationcenter.plist com.apple.remotedesktop.privilegeproxy.plist com.apple.remotedesktop.plist com.apple.iidcassistant.plist com.apple.blued.plist com.apple.remoteui.plist Functionality AFP FTP SMB HTTP Server Remote Apple Events Xgrid Xgrid Internet Sharing Dashboard Auto-Update User notifications ARD ARD isight Bluetooth Remote Control ERNW Enno Rey Netzwerke GmbH Tel. 0049 6221 48 03 90 Page 14